5 steps to make threat intelligence work for you

Imagine your friend’s house is broken into over and over. Each time the intruder gains entry by smashing a window. In response, your friend notices that his door locks aren’t Bluetooth-enabled or biometric, so he buys intelligent door locks for his house.

He is surprised, over and over, that no matter how much he upgrades his door locks and how many other door locks he installs, thieves continue to break in through a window. Sound insane?

This type of scenario plays out over and over in most companies today. No matter how often bad guys and malware keep breaking in, companies keep spending millions of dollars fixing and fighting the wrong issues.

Sometimes the obvious isn’t obvious until someone else points it out. Billionaire Warren Buffet is famous for telling people to buy low and sell high. Apparently that’s hard advice to follow because tens of millions of people sell their investments at a loss whenever a temporary panic sets in.

Here’s my advice for vastly improving your computer security defense: Try to defend against that which has been most successful breaking into the systems you manage.

It’s that simple. Don’t get distracted by the latest gee-whiz technology and the myriad of other projects that people try to get you involved in. Nope, if you want to be a better defender, figure how your company is getting compromised, especially the root causes behind the initial entries, and mitigate those issues. Unfortunately, this advice can be hard to put into practice in a complex environment with many distractions.

How do you fix the window instead of the door? Here’s a four-step plan:

1. Dig into threat intelligence

Threat intelligence is all the incoming data that you or your company analyze to determine which threats to worry about. Unfortunately, with 15 new threats coming at you every day, it’s hard to figure out where to place your concerns.

Here’s my take: Turn your attention to what has already happened to you. Contrary to popular belief, most adversaries are not super hacking experts. Most like using what has worked in the past, and they’ll go with the same program and technique over and over until it has no more utility. Past behavior is one of the best predictors of future behavior. Plus, if your company is hacked a lot because of a particular unpatched program or another technique, this usually reveals a gap that needs extra attention.

The most important threat intelligence isn’t a vendor’s threat “feed.” It’s your own data. Start locally before thinking globally.

Next, pay attention to what’s happening around you. Have some of your competitors or partners been attacked by a particular hacking group? What are they seeing? Then, finally, you can start thinking about the popular global attacks that are hitting every company. But remember: Your own data is the best threat intelligence feed.

2. Use threat monitoring and detection

In order to ensure you’re getting the best local threat intelligence, you have to make sure your company is actually detecting malicious activity.

I know plenty of companies that wonder why they haven’t been attacked by an advanced persistent threat (APT) when nearly everyone else in the world has. I have a clue for them: You’ve been compromised, but you’re not looking in the right places. Survey after survey reveals that most companies had the data they needed to detect malicious hacking, but didn’t look at it. They set up event logging and forgot it.

While you need an enterprisewide threat detection plan, as with threat intelligence, start with your own experience. What would it take to detect those things? If you can detect what has successfully compromised your company in the past with a high degree of proficiency, then you’ve gone a long way toward a successful threat detection program.

Lastly, if you tell me that you track billions and billions of events, I’m not impressed. Those are billions and billions of useless events. It’s almost all noise. I’m more impressed if you told me that you have defined one to two dozen events that always indicate maliciousness. Less is more in the threat detection world.

3. Communicate!

Once you’ve identified likely threats and how to detect them, communicate what you’ve discovered throughout the enterprise. I’m always surprised that almost no one, even on the IT security team, understands the top threats. If neither the security team nor the enterprise knows, how can you fight the badness? The answer: You can’t.

Once you’ve identified the top threats, distribute a ranked list to everyone, including all users and senior managers. You’ll be surprised by how much help you’ll get in the right places if you alert everyone to the main problems. Threat intelligence in secret does no one any good.

4. Measure mitigation success

When you’ve identified the top threats and spread the word, encourage everyone to think about and select mitigations. In fact, I would analyze every IT security project and rank them according to how well they help mitigate the top threats you’ve identified — no use in spending money on projects that fail to minimize or stop the top threats.

Hold mitigations and their sponsors accountable. If someone said X product would stop Y threat, and you spent money on it, measure its success in doing what it said it could do. This is not about admonishing people for choosing the wrong implementations. It’s simply part of the process for figuring out why it was the wrong choice. Only by examining your mistakes can you improve future projects.

5. Put it all together

The most intelligent threat intelligence yields successful mitigations. It’s not enough to report what you found out. Threat intelligence needs to be part of making sure the right things are deployed in the right places.

Someone in the IT security team needs to make sure that root causes are addressed by the mitigations. Someone needs to understand the whole process — and speak up and correct mitigations that have little impact on top problem areas.

Obvious, right?